Open LockeColtenPFG opened 3 years ago
Hi @LockeColtenPFG, Thank you for submitting this issue, there was a problem with the read function and we fixed it. Both issues you have mentioned still have API related problems.
Selection name: MGMT server adds 'adgroup' prefix to each name and the provider use these names as is. We will try to find a solution for it in the next version.
Source name: access-role API show function does not return the source per object so we cannot currently support many AD groups. For now the provider only support single AD group with name CpmiAdGroup and the problem should not appear anymore. We will allow to use different name on the next provider's version, but note that we need the API to be changed to allow more than one AD group.
Thank you, Alon
By saying you "fixed" it, will the new provider version act like how it did in 1.4.0 and not report all these changes? If yes, can you issue a fix release (like 1.6.1) for this so we don't have to downgrade our provider?
Hi @deutmeyerbrianpfg Publishing new version takes time(even if it is a sub-version) we will try to fix and release the version as soon as possible. about your question, We are still working on a fix and I will be able to answer properly after we will fix this issue.
Any update on a fix for this?
Hi @b-diggity, We are working on this fix, there is no ETA, but it will be published in Q1.
I see PR #95 was created, but a fix for this doesn't appear to be included? Q1 is winding down...is this still going to be fixed this quarter?
Hi @deutmeyerbrianpfg , unfortunately this issue will not be fixed soon due to API limitations, I am sorry for saying it will be published Q1. We need to wait for the API to be fixed in order for us to fix this issue properly. as I said before "For now the provider only support single AD group with name CpmiAdGroup and the problem should not appear anymore." hope you can find it useful. We will publish a solution when the API command will allow us to.
I will comment here on any progress, and we will fix this issue when possible. Sorry for the inconvenience. Alon.
Can you post a code example for what you are referring to with CpmiAdGroup
?
resource "checkpoint_management_access_role" "example" { name = "New Access Role 1" machines { source = "any" selection = ["any"] } users { source = CpmiAdGroup selection = ["AD1", "AD2"] } }
note that this solution will still show the change LockeColtenPFG mentioned in the selection : " For example
users { ~ selection = [
So this code results in changes:
resource "checkpoint_management_access_role" "example" {
name = "example_ar"
users {
source = "myad.com__AD"
selection = ["MY GROUP NAME"]
}
}
Are you saying that that I can change my source to CpmiAdGroup
and the validation errors will go away as long as only one group is used in the selection? Like this?:
resource "checkpoint_management_access_role" "example" {
name = "example_ar"
users {
source = "CpmiAdGroup"
selection = ["MY GROUP NAME"]
}
}
Hi @deutmeyerbrianpfg sorry for the late response. because of the API issue you will still get a validation error on the selection field as mentioned by LockeColtenPFG. It will only disable the validation error on the source field. I will let you know as soon as we will find a solution to this issue.
Hi @chkp-alonshev is there still no fix for this? It is causing our pipeline to run very slow due to all the updates it thinks it needs to make each time. Do we need to submit an API enhancement request with our account team? Thanks for keeping after this one.
Hi, This is API issue and not relevant to the provider. It was fix in version R82 and probably will be on the JHFs as well.
Regards, Roy
Thanks for the reply, Roy!
Are you able to elaborate a little more on what is missing in the API that creates this problem? I'd like to get a formal enhancement request into our account team. This is causing an extreme slowdown on our side, and I'd like to make sure that it is truly incorporated into R82.
It's been almost two years now so I could be mistaken, but I don't recall this being a problem when we first started using this provider. According to the first post of this thread, it looks like something changed between 1.4 and 1.6. Do you recall why the API limitation wasn't a problem until then?
API is missing data for terraform so access-role resource cannot work properly. According to change log, access role resource was changed in v1.5, the resource did not work good before that because incorrect logic of some fields In v1.5 we fixed some bugs in the resource given the missing data we receive from the API but from R82 this issue was resolved.
After bumping from 1.4 to 1.6, the terraform plan that was generated appears to want to modify our existing Access Role objects to some weird syntax
For example
users { ~ selection = [
The next apply after the update caused this to appear in the plan. It switched our selections syntax, preprended adgroup to the name, and removed the hyphens from the existing selection
This happened to every AR object we had defined (30ish)
Another oddity we noticed as the source we defined in an AR randomly thought it was cpmiADgroup
and wanted to modify itself back to the original value that had never changed
Is this expected behavior in 1.6?